tag:www.schneier.com,2016:/blog//2/tag:www.schneier.com,2014:/blog//2.5257-2016-09-03T04:54:09ZComments for DDoSing a Cell Phone NetworkA blog covering security and security technology.Movable Typetag:www.schneier.com,2014:/blog//2.5257-comment:4831464Comment from paranoia destroys ya on 2014-03-04paranoia destroys ya
At what point will telemarketing robocallers exceed the capacity of the phone equipment thus creating a systemwide DOS failure?
Some days 1/2 of all calls to my parents are from the likes of Rachel of Cardholder Services.
A better use of the collected phone call metadata would have been to locate the dialers based upon more calls than can be manually dialed were made from a number.]]>
2014-03-04T14:21:12Z2014-03-04T14:21:12Ztag:www.schneier.com,2014:/blog//2.5257-comment:4758108Comment from O.D.D on 2014-02-28O.D.D
A quick question, a few years ago, there was use of IMSI catchers that could fool phones into connecting to their networks and being able to alter messages and listen in to calls being made. From my reading it affected GSM networks. Does it have any effect on the latter 2G, 3G and 4G networks. I am interested in doing a paper on this]]>
2014-02-28T09:31:45Z2014-02-28T09:31:45Ztag:www.schneier.com,2014:/blog//2.5257-comment:4746607Comment from B.S. But not Bruce. on 2014-02-27B.S. But not Bruce.http://n/a
I think it's off-topic but I'll follow on the Snowden post.

Well it's easy for Ellard to say that, while his own phone is tapped and Snowden's phone call to Ellard will be directed to /dev/null and himself taken out.

Thanks Eric Snowden for doing all this. Thanks for bringing all this under the sunlight from under the carpet of agencies abusing their unjustified and uncontested power.

]]>
2014-02-27T20:05:32Z2014-02-27T20:05:32Ztag:www.schneier.com,2014:/blog//2.5257-comment:4733039Comment from jdgalt on 2014-02-26jdgalt
This seems as trivial for the cellular carriers to fix as the old-hat problem of cloned SIM cards has been. If the fix doesn't happen reasonably quickly, we'll know there's a political reason why not.

In a way, I'm glad that these kinds of stress tests are happening to the networks, because their operators will learn to make them more robust. What I'm really worried about is some kind of coordinated takedown of the entire network to prevent the proper response to some other type of attack (and I don't make any assumptions about which side "our" government might be on then).

]]>
2014-02-27T05:07:39Z2014-02-27T05:07:39Ztag:www.schneier.com,2014:/blog//2.5257-comment:4729133Comment from W on 2014-02-26W
Isn't all this security research pretty pointless now that we now it is a feature, not a bug?]]>
2014-02-27T00:15:22Z2014-02-27T00:15:22Ztag:www.schneier.com,2014:/blog//2.5257-comment:4728794Comment from Ex-HLR developer on 2014-02-26Ex-HLR developer
So far from the original intent of CALEA, which specifically mandated that location information not be used by Law Enforcement. It always did.]]>
2014-02-26T23:51:44Z2014-02-26T23:51:44Ztag:www.schneier.com,2014:/blog//2.5257-comment:4728447Comment from Curious on 2014-02-26Curious
@ 0day and others

"In Snowden’s case, Ellard said a complaint would have prompted an independent assessment into the constitutionality of the law that allows for the bulk collection of Americans’ telephone metadata. But that review, he added, would have also shown the NSA was within the scope of the law." (from politico article quoted above)

Not knowing what might be quotations in this paraphrase shown in italic, I want to point out that I think the notion of a "scope" in such a context is really only meaningful after the fact and not in some allusion to a meaning yet to be disclosed or revealed. I suppose the paraphrase in its entirety might be a reinterpretation and really without anything quoted.

A phrase like "the scope of the law" seem really vague to me. Would surely become problematic if someone simply had assumed that a particular subject must have been "within the scope of the law", as if such was a particularily relevant point or otherwise had to have been the case regardless. (Theory, for sake of theory.)

I initially wrote a wall of text explaining why it might be interesting to problematize such an expression, but I chose to keep it simple. :|

]]>
2014-02-26T23:18:59Z2014-02-26T23:18:59Ztag:www.schneier.com,2014:/blog//2.5257-comment:4728022Comment from Evan on 2014-02-26Evan
@0day:
The most interesting part of that article you posted is the following:

In Snowden’s case, Ellard said a complaint would have prompted an independent assessment into the constitutionality of the law that allows for the bulk collection of Americans’ telephone metadata. But that review, he added, would have also shown the NSA was within the scope of the law.

It is interesting because Ellard asserts that a legal assessment of eavesdropping activities would be independent, but at the same time that he knows in advance what the outcome of such an assessment would be. Since we know there is somedifferenceofopiniononthematter, it is not the case that there is a consensus that NSA surveillance is constitutional. Therefore, the only way Ellard can say what the outcome of the assessment will be is if the assessors are deliberately selected to agree with the government's position, making them anything but independent.

I posit that Ellard is not actually trying to pull a fast one on the American public; rather I think this sort of doublethink is actually the normal modus operandi of the NSA (and to a lesser extent, the rest of government bureaucracy). Parallel construction is another example of this kind of thing - the constitution prohibits certain kinds evidence collection techniques to prevent abuse, so agents use them and simply fail to bring it up in court.

Increasingly, my belief is that the problem is not the NSA, the CIA, Keith Alexander, James Clapper, or the Patriot Act, it's the mindset that the rule of law is an empty ritual, a set of motions through which one goes but does not have any bearing on what they can actually do. At most they just have to give it a special name, like "enhanced interrogation".

]]>
2014-02-26T22:47:15Z2014-02-26T22:47:15Ztag:www.schneier.com,2014:/blog//2.5257-comment:4726533Comment from 0day on 2014-02-260day
Below is from:http://www.politico.com/story/2014/02/nsa-inspector-general-edward-snowden-103949.html
The National Security Agency’s top watchdog slammed Edward Snowden on Tuesday for failing to follow official protocol in relaying his concerns about wayward intelligence gathering and also faulted Congress for not vetting the details of post-9/11 surveillance programs.
“Snowden could have come to me,” George Ellard, the NSA’s inspector general, said during a panel discussion hosted by the Georgetown University Law Center.
Ellard, making his first public comments in seven years working for NSA, insisted that Snowden would have been given the same protections available to other employees who file approximately 1,000 complaints per year on the agency’s hotline system.
“We have surprising success in resolving the complaints that are brought to us,” he said.
In Snowden’s case, Ellard said a complaint would have prompted an independent assessment into the constitutionality of the law that allows for the bulk collection of Americans’ telephone metadata. But that review, he added, would have also shown the NSA was within the scope of the law.
“Perhaps it’s the case that we could have shown, we could have explained to Mr. Snowden his misperceptions, his lack of understanding of what we do,” Ellard said.
And if Snowden wasn’t satisfied, Ellard said the NSA would have then allowed him to speak to the House and Senate intelligence committees.

I am sure they would have been happy to be able to "take care of" Snowden's concerns...

This is like an issue where a ruling authority also expects its subjects to express "faith" toward themselves.

But "faith" is a concept from the realm of religion, generally understood to be expressed only toward 'conventionally invisible' beings like "The Creator God" (what-ever that may mean to the person) or something like that.

A problem with expressing faith is that the progress of "science" during the last 100+ years is often promoted as a reason for there no longer being a need for "faith". Everything (or at least most things) is either supposedly explainable through science or not worth "believing" in.

While organized religions are (sometimes perhaps intentionally) undermined through this, it leads to the implicit assumption that everyone should be free to have "faith" in what-ever they choose.

This freedom is sometimes in contrast with the government expectation that people have faith in them.

Thus for example Ed Snowden ended up believing that the wholesale spying is wrong.

Looking at this situation it seems like the US Government wants people to be willing to give away all their freedoms for them and maybe even die for them (well this last part they expect at least from those serving in the armed forces).

My take is that in all of this they are actually running a de facto religion.

]]>
2014-02-26T20:59:04Z2014-02-26T20:59:04Ztag:www.schneier.com,2014:/blog//2.5257-comment:4723029Comment from Clive Robinson on 2014-02-26Clive Robinson
Oh I forgot to mention one thing, the HLR and AuC are not required for you to place calls it's often the VLC that does the work... And the MSC or lower has the "backhaul" to the ISDN etc POTS, Internet, etc.

It's important to know this because it enables someone to walk into an MSC and in effect --and over simplisticaly-- cut the link with the HLR or spoof it and allow users local to the MSC to still place calls and browse etc. This is one of the things that happened during Arab Spring.

HLR is known as the "Home Location Register" and
AuC is knoun as the "Authentication Center", thus
HLR/AuC is a combination of both, there is also the
VLC which is known as the Visiting Location Register.

In the original GSM900 spec the Authentication Center provides authentication and encryption parameters that are used to verify the user's identity (on either the home or peering network) and --supposadly-- ensure the confidentiality of each call. Due to delays etc when on a peering network you get tempory credentials in the VLC on the MSC such that you can make around five billable actions prior to getting a new set. This in of itself is a bit of a security hole. Which means that the AuC which --supposedly-- protects the network operator from various types of fraud can still be duped something like a quater of a century after various design failings were noted and reported...

The Home Location Register is a database used for storage and management of subscriber information. The HLR is considered the heart of both the switching and billing systems, thus it's the DB to go after if you are hacking the network for fraud. It stores permanent data about the home network subscribers, including their service profile, assumed current location and current activity status.

The Visitor Location Register like the HLR is a database that contains information about subscribers which is "temporary" and it is needed by the MSC in order to service visiting subscribers. The VLR is almost always integrated with the MSC. When a mobile roams into a new MSC area, the VLR connected to that MSC will request data about the mobile station from the HLR on the subscribers home network. This, if the subscriber places a call etc, the VLR will have the required information to hand so the call etc can be placed without incuring the time penalty of interrogate the HLR for each action.

Now some important things to note firstly the HLR does not actually know where you are, the VLR likewise does not know either the only thing that knows is the BSC and th BTS you are nominaly located in from the last exchange between your mobile and the BTS.

There is a perfectly good reason for this and it's to minimise "non billable" traffic across the network. What happens depends on the action concerened (primary or secondary) and if you have moved or not since the last action.

When you move from one BTS to another (handover) the BSC gets updated by the BTS if the BTS you move to is on the same BSC then it has no need to pass the information upwards. If however the BTS you move to is on a different BSC then the BSC's talk to the MSC. However if you move to a different MSC the HLR "should" be notified. However there are good and propper reasons why it might not, one is when you are on the edge of the MSC's and you bounce back and forwards between the two.

Another is the operator has configured the network for minimum switching information going to the HLR... either way it's an exploitable security issue for fraudsters as it alows two or more phones with the same ID's to be active on the network...

]]>
2014-02-26T17:17:50Z2014-02-26T17:17:50Ztag:www.schneier.com,2014:/blog//2.5257-comment:4721398Comment from Uh, Mike on 2014-02-26Uh, Mikehttp://xkcd.com/722/
The SIM card seems to be the new national ID.]]>
2014-02-26T15:53:06Z2014-02-26T15:53:06Ztag:www.schneier.com,2014:/blog//2.5257-comment:4720589Comment from Stuart Ward on 2014-02-26Stuart Wardhttp://stuartward.wordpress.com/
I am sure I saw a similar paper a couple of years ago. This is seriously flawed, I cant read the whole paper not being an academic and the paper itself paywalled away.

While cloning older SIM (2G) cards was possible if they used the flawed COMP128 algorithm, the newer USIM cards, as must be used on all 3G networks have much better protection against cloning.

Some networks will switch off their AUC if there are problems, and users will largely be unaware of this, as most phones do not report to the user that the phone is operating in an un-authenticated mode and not using encryption.

Once the AUC is turned off then cloning is trivial, as any USIM reported IMSI will work on the network. The location updates for the phone will then be reported to the HLR. An HLR is designed to cope with high transaction volumes and performing a DoS attack on this just through traffic load will be hard. When an operator sees increased load on the HLR they can turn down the frequency of location updates to ease the load.

]]>
2014-02-26T15:08:53Z2014-02-26T15:08:53Ztag:www.schneier.com,2014:/blog//2.5257-comment:4719426Comment from kevinm on 2014-02-26kevinm
They misuse the term APT, their title reads like a tabloid headline.]]>
2014-02-26T13:44:38Z2014-02-26T13:44:38Z